This new version, labelled Flashback.S, is still exploiting the same Java vulnerability but has been tweeked to get around Apple’s XProtect, according to Sophos’s Chester Wisniewski.

XProtect relies on exact fingerprints of the malware. Security Watch highlights that last year when Apple updated its signature in XProtect, malware writers simply tweaked Mac Defender to bypass it.

The report also criticises Apple for only protecting Lion and Snow Leopard users. Other Mac users are just told to disable Java.

Flashback.S drops two files in the user's home folder at the following locations:

~/Library/LaunchAgents/com.java.update.plist

~/.jupdate

Once it has installed it deletes cached Java files to avoid detection or sample recovery, according to Intego.

Sophos claims that the difference between Flashback.S and the previous variant is so minor that Sophos and other Mac anti-virus products will still detect it.

The Flashback.G variant was discovered by Intego in February. It can inject code into web browsers and other applications that connect to the Internet, often causing them to crash. It attempts to sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other nefarious ways.

That Flashback variant discovered two months ago asked for administrative privileges, but did not require them.

Contrary to reports by several security companies, the Flashback botnet is not shrinking, the Russian antivirus firm that first reported the massive infection three weeks ago claimed today. Dr. Web, which earlier this month was the first to report the largest-ever successful malware attack against Apple's OS X, said on Friday that the pool of Flashback-infected Macs still hovers around the 650,000 mark, and that infections are continuing.